IL Exercise 14: Packet Analysis

This exercise uses Wireshark to analyze network traffic which has already been captured and stored in a file. You will do the work on the Immersive Labs platform, so make sure you have set up access before you begin.

Introduction to Wireshark

  1. Login to Immersive Labs and start the Intro to Wireshark lab. While you wait for the Linux VM to spin up, click on the Info button at the top-right of the screen and read the information panel.

  2. When the Linux VM desktop is visible, click the Applications button at the top-left. Choose InternetWireshark to run the application.

  3. In the Wireshark UI, choose FileOpen or press Ctrl+O. Browse to /home/forensics/Desktop/LabFiles/Wireshark-Setup and open the file named wireshark_setup.pcapng. You should be able to see the details of nearly 80,000 captured network packets.

  4. Experiment with filtering displayed packets. You can specify a filter by entering it in the text field immediately beneath the Wireshark toolbar. Click on the blue ribbon icon on the left of the text field to see or select from some common examples of filters. See also the lab’s information panel and the relevant Wireshark wiki page for more examples.

    Here’s an example of a filter to show only HTTP GET requests:

    http.request.method == "GET"

    You can use eq in place of == if you prefer. The effect of this in Wireshark is to limit the display to only 2.4% of the captured packets:

    Screenshot of Wireshark showing use of a display filter

    Example of Wireshark display filtering

    You can see here that the Protocol column is displaying only HTTP and the Info column is displaying only GET requests.

  5. Click on the Tasks button at the top-right of the screen, then examine the five questions on the tasks panel. Use Wireshark together with what you’ve learned from your experiments to answer the questions. When you’ve finished, click the Submit button to complete the lab.

Stream Extraction

This goes into more detail about analysis and data extraction tasks that can be performed using Wireshark.

  1. Start the Stream/Object Extraction lab. While you wait for the Linux VM to spin up, click on the Info button at the top-right of the screen and read the information panel.

  2. Run Wireshark as you did for the previous lab, but this time browse to /home/forensics/Desktop/LabFiles/StreamExtraction and open the packet capture file that you find in this directory.

  3. To make answering the questions easier, you should add two additional columns of data to the display: the source port and the stream index. You can do this by first selecting a packet containing a TCP segment, as shown below. In the panel of packet details, click the small drop-down arrow next to Transmission Control Protocol, to reveal TCP details. Right-click on Source Port, then choose Apply as Column. Do the same for Stream Index.

    Screenshot of Wireshark showing customization of displayed columns

    Adding a displayed column in Wireshark

  4. Although you can use filtering to limit the displayed packets to those using a given protocol, it can sometimes be more useful to view that protocol the way that the application layer sees it. Wireshark has the ability to follow a protocol stream, allowing you to more easily make sense of how the protocol is being used.

    Try this out now. Select an FTP packet from the packet list, then choose menu option AnalyzeFollow TCP Stream (or right-click on the selected packet and use the context menu). Stream content will be displayed in the same sequence as it appeared on the network. Non-printable characters will be replaced by dots. Traffic from client to server will appear in red, while traffic from server to client will appear in blue.

  5. Wireshark can scan the streams for certain protocols and reassemble objects such as HTML documents, images and other files, allowing you to save them to disk.

    Try this out now. Choose FileExport ObjectsHTTP. After a short delay, a dialog box will appear, listing details of all the recovered objects. You can select and save individual objects or save all of them to a specified location. Try saving the file show_ads.js to the Downloads directory.

  6. Repeat the previous step, this time for the SMB protocol. SMB, or Server Message Block, is a file sharing protocol used mainly by Microsoft Windows. Try saving the file secret_docs.docx to the Downloads directory.

  7. Click on the Tasks button at the top-right of the screen, then examine the five questions on the tasks panel. Use Wireshark, together with what you’ve learned from the information panel and the earlier experiments, to answer the questions. When you are finished, click Submit to complete the lab.


    • For Q2, note that using ftp as a filter will show you only the packets associated with FTP’s command channel. FTP uses a separate channel to transfer data. To see traffic for both channels, you can filter with

      ftp or ftp-data

      or just use ftp-data to see only the packets involved in data transfer.

    • If you’ve followed the earlier steps, you will already have the files needed to answer Q4 & Q5. You will find it useful to start a terminal window to answer these questions.

    • For Q4, note that .docx files are effectively Zip archives, whose contents can be extracted using the unzip command.